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Abstract 

The theory of Petri Nets provides a general framework to specify the behaviors of real-time 
reactive systems and Time Petri Nets were introduced to take also temporal specifications 
into account. We present in this paper a forward zone-based algorithm to compute the 
state space of a bounded Time Petri Net: the method is different and more efficient than 
the classical State Class Graph. We prove the algorithm to be exact with respect to the 
reachability problem. Furthermore, we propose a translation of the computed state space 
into a Timed Automaton, proved to be timed bisimilar to the original Time Petri Net. 
As the method produce a single Timed Automaton, syntactical clocks reduction methods 
(Daws and Yovine for instance) may be applied to produce an automaton with fewer 
clocks. Then, our method allows to model-check T-TPN by the use of efficient Timed 
Automata tools. 

KEYWORDS: Time Petri Nets, Timed Automata, Bisimulation, Reachability Analysis, 
Zones. 



1 Introduction 
Framework 

The theory of Petri Nets provides a general framework to specify the behaviors 
of real-time reactive systems and time extensions were introduced to take also 
temporal specifications into account. The two main time extensions of Petri Nets are 
Time Petri Nets (TPN) IjMerlin 1974|l and Timed Petri Nets URamchandani 1974|l . 
While a transition can be fired within a given interval for TPN, in Timed Petri 
Nets, transitions are fired as soon as possible. There are also numerous ways of 
representing time. TPN are mainly divided in P-TPN, A-TPN and T-TPN where a 
time interval is relative to places (P-TPN), arcs (A-TPN) or transitions (T-TPN). 
Finally, Time Stream Petri Nets ijPiaz and Senac 199411 were introduced to model 
multimedia applications. 

Concerning the timing analysis of these three models ((T,P,A)-TPN), few studies 
have been realized about model-checking. 
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Recent works ( |Abdulla and Nylen 200l||de Frutos Escrig et al. 2000| | consider Timed 
Arc Petri Nets where each token has a clock representing its "age". Using a backward 
exploration algorithm IjAbdulla and Jonsson 19981 IFinkel and Schnoebelen 1998|l , 
it is proved that the coverability and boundedness are decidable for this class of 
Petri Nets. However, they assume a lazy (non-urgent) behavior of the net: the fir- 
ing of a transition may be delayed even if its clock's value becomes greater than its 
latest firing time, disabling the transition. 

In ijRokicki 19931 [Rokicki and Myers 1994| |, ROKICKI considers an extension of 
labeled Petri Nets called Orbitals Nets: each transition of the TPN (safe P-TPN) 
is labeled with a set of events (actions). The state space is built using a forward 
algorithm very similar to Alur and Dill region based method. Rokicki finally 
uses partial order method to reduce time and space requirements for verification 
purpose. The semantics used is not formally defined and seems to differ from another 
commonly adopted proposed by Khansa l|Kha,nsa, et al. 1996jl for P-TPN. 

In this paper, we consider T-TPN in which a transition can be fired within a time 
interval. For this model, boundedness is undecidable and works report undecidabil- 
ity results, or decidability under the assumption of boundedness of the T-TPN (as 
for reachability, decidability ( |Popova 1991| |). 

Related Works 

State Space Computation of a T-TPN. The main method to compute the 
state space of a T-TPN is the State Class Graph (|Menasche 1982llBerthomieu and Diaz 1991|l . 
A class C of a T-TPN is a pair (M, D) where M is a marking and D a set of in- 
equalities called the firing domain. The variable Xi of the firing domain represents 
the firing time of the enabled transition U relatively to the time when the class C 
was entered in and truncated to nonnegative times. The State Class Graph pre- 
serves markings (Berthomieu and Vernadat 200311 as well as traces and complete 
traces but can only be used to check untimed reachability properties and is not 
accurate enough for checking quantitative real-time properties. An alternative ap- 
proach has been proposed by Yoneda et al. l |Yoneda and Ryuba 1998| | in the form 
of an extension of equivalence classes (atomic classes) which allow CTL model- 
checking. LiLius ijLilius 199911 refined this approach so that it becomes possible 
to apply partial order reduction techniques that have been developed for untimed 
systems. Berthomieu and Vernadat IjBerthomieu and Vernadat 2r)fl3|l propose 
an alternative construction of the graph of atomic classes of Yoneda applicable 
to a larger class of nets. In HOkawa and Yoneda 199711 . Okawa and Yoneda pro- 
pose another method to perform CTL model-checking on T-TPN, they use a region 
based algorithm on safe T-TPN without oo as latest firing time. Their algorithm is 
based on the one of IjAhir and Dill 1994}! and aims at computing a graph preserv- 
ing branching properties. Nevertheless, the algorithm used to construct the graph 
seems inefficient (their algorithm do code regions) and no result can be exploited 
to compare with other methods. 
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From T-TPN to TA. Several approaches aim at translating a Time Petri Net into 
a Timed Automaton in order to use efficient existent tools on TA. In ijC^ortes et al. 2nf)(ill . 
Cortes et al. propose to transform an extension of T-TPN into the composition 
of several TA. Each transition is translated into an automaton (not necessarily 
identical due to conflict problems) and it is claimed that the composition cap- 
tures the behavior of the T-TPN. In ijCassez and R.oux 200411 . Cassez and Roux 
propose another structural approach: each transition is translated into a TA us- 
ing the same pattern. The authors prove the two models are timed bisimilar. 
In l|Sava, and Alia, 20(11)1 . Sava and Alla compute the graph of reachable mark- 
ings of a T-TPN. The result is a TA. However, they assume the T-TPN is bounded 
and does not include oo as latest firing time. No proof is given of the timed bisimi- 
larity between the two models. In (jLime and Ronx 2003|l . Lime and Roux propose 
a method for building the State Class Graph of a bounded T-TPN as a TA. They 
prove the T-TPN to be timed bisimilar to the generated TA. 

Considering the translation of T-TPN into TA, in order to study model's prop- 
erties, raises the problem of the model-checking feasibility of the resulting TA. The 
model-checking complexity on TA is exponential in the number of clocks of the 
TA. The proposed transformation in llC'assez and Roux 20041 R'ortes et al. 2000|l is 
to build as many TA as the number of transitions of the T-TPN. Consequently, 
there are as many clocks as in the initial T-TPN. It has also to be considered that 
reduction method IIDaws and Yovine 1996|l can not be applied to the resulting TA: 
the parallel composition has to be computed first. Nevertheless, the construction of 
TA is straightforward and linear in the number of transitions of the T-TPN. Con- 
cerning the method in ijLime and Roux 2008|l , the resulting TA has a lower number 
of clocks. The method we propose produces an automaton with more clocks than 
the previous method but its computation is faster. 

Such translations show that TCTL and CTL are decidable for bounded T-TPN 
and that developed algorithms on TA may be extended to T-TPN. 



Contributions 

This paper is devoted to presenting an alternative approach to the state space 
construction of a T-TPN. The method is mainly based upon the region graph 
algorithm of Alur and DiLL on Timed Automaton. We propose to use a derived 
method using zones to compute the state space of the T-TPN. The algorithm is 
proved to be exact with respect to the reachability problem and we propose to 
translate the state space it computes into a Timed Automaton, bringing so the 
power of TA model-cheking algorithms to T-TPN. 

We first recall the semantics of T-TPN and present a forward zone-based algo- 
rithm that computes the state space of a T-TPN. Next, we present the labeling of 
the state space that produces a TA we proved to be timed bisimilar to the original 
T-TPN. We then compare our method to other used methods on T-TPN and show 
its advantages. Finally, some applications are proposed. 
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2 Time Petri Nets 



2. 1 Definitions 



Time Petri Nets (T-TPN) are a time extension of classical Petri Nets. Informally, 
with each transition of the Net is associated a clock and a time interval. The clock 
measures the time since the transition has been enabled and the time interval is 
interpreted as a firing condition: the transition may fire if the value of its clock 
belongs to the time interval. 
Formally: 

Definition 1 (T-TPN) 

A Time Petri Net is a tuple [P, T'{.), (.)', a, /3, Mq) defined by: 

• P = {pi,p2, . . . ,Pm} is a non-empty set of places, 

• T = {ti, t2, . . . , tn} is a non-empty set of transitions, 

• *(.) : T TN^ is the backward incidence function, 

• (.)• : T TN^ is the forward incidence function, 

• Mq G IN^ is the initial marking of the Petri Net, 

• a -.T ^ Q>Q is the function giving the earhest firing times of transitions, 

• (3 :T ^ Q>Q U {oo} is the function giving the latest firing times of transitions. 

A Petri Net marking M is an element of such that for all p P, M{p) is the 
number of tokens in the place p. 

A marking M enables a transition t if: M >* ti. The set of transitions enabled 
by a marking M is enabled (M). 

A transition tk is said to be newly enabled by the firing of a transition ti if 
M —'ti -\- 1' enables tk and M —'ti did not enable tk- If ti remains enabled after its 
firing then ti is newly enabled. The set of transitions newly enabled by a transition 
ti for a marking M is noted 1 enabled {M,ti). 

V S (IR>o)^ is a valuation of the system. Vi is the time elapsed since the transition 
ti has been newly enabled. 

The semantics of T-TPN is defined as a Timed Transition Systems (TTS). Firing 
a transition is a discrete transition of the TTS, waiting in a marking, the continuous 
transition. 

Definition 2 {Semantics of a T-TPN) 

The semantics of a T-TPN is defined by the Timed Transition System S — (Q, qo, -^): 



• Q X (ruIR>o) X Q is the transition relation including a discrete transition 
and a continuous transition. 

• The continuous transition is defined Vd e IR>o by: 



• = IN^ X (IR>o)^ 

• qo = (A/o,0) 
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The discrete transition is defined Vt^ G T by: 



(M,w) ^ iM',v') iff < 



M' = M -'t, + t* 

ait,) <v,< f3{t,) 

Vfc e [l,n] v'^ 



if tk e ] enabled {M,ti) 
Vk otherwise 



2.2 The State Class Method 

The main method for computing the state space of a Time Petri Net is the State 
Class Method introduced by Berthomieu and DiAZ in IIBerthomieu and Diaz 199l(l . 

Definition 3 (State Class) 

A State Class C of a T-TPN is a pair (A/, D) where M is a marking and D a set of 
inequalities called the firing domain. The variable Xi of the firing domain represents 
the firing time of the enabled transition ti relatively to the time when the class C 
was entered in. 

The State Class Graph is computed iteratively as follows: 

Definition 4 

Given a class C = [M,D) and a firable transition tj, the successor class C" = 
(Af, D') by the firing of tj is obtained by: 

1. Computing the new marking Ad' = M —*tj + t*. 

2. Making variable substitution in the domain: Vi ^ j, Xi ^ x[ + Xj. 

3. Eliminating Xj from the domain using for instance the Fourier-Motzkin method. 

4. Computing a canonical form of D' using for instance the Floyd- Warshall 
algorithm. 

In the state class method, the domain associated with a class is relative to the 
time when the class was entered in and as the transformation (time origin switching) 
is irreversible, absolute values of clocks cannot be obtained easily. The produced 
graph is an abstraction of the state space for which temporal information has been 
lost and generally, the graph has more states than the number of markings of the 
T-TPN. Transitions between classes are no longer labeled with a firing constraint 
but only with the name of the fired transition: the graph is a representation of the 
untimed language of the T-TPN. 



2.3 Limitations of the State Class Method 

As a consequence of the State Class Graph construction, sophisticated temporal 
properties are not easy to check. Indeed, the domain associated with a marking is 
made of relative values of clocks and the function to compute domains is not bi- 
jective. Consequently, domains can not easily be used to verify properties involving 
constraints on clocks. 

In order to get rid of these limitations, several works construct a different State 
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Class Graph by modifying the equivalence relation between classes. To our knowl- 
edge, proposed methods IjBerthomieu and Vernadat 2fl08|l depend on the property 
to check. Checking LTL or CTL properties will lead to construct different State 
Class Graphs. 

Another limitation of methods and proposed tools to check properties is the need 
to compute the whole state space while only the reachability of a given marking is 
needed (e.g. for safety properties). The graph is then analyzed by a model-checker. 
The use of T-TPN observers is even more costly: actually, for each property to be 
checked, a new State Class Graph has to be built and the observer can dramatically 
increase the size of the state space. 

In the next section we will present another method to compute the state space of 
a bounded T-TPN. It will be used in a later section to propose a Timed Automaton 
that is timed bisimilar to the original T-TPN. As the graph has exactly as many 
nodes as the number of reachable markings of the T-TPN, we obtain a compact 
representation of the state space which may be efficiently model-checked using TA 
tools. 

3 A Forward Algorithm to Compute the State Space of a Bounded 

T-TPN 

The method we propose in this paper is an adaptation, proved to be exact, of the 
region based method for Timed Automaton IjAlur and Dill 19941 IRokicki 199311 . 
This algorithm starts from the initial state and explores all possible evolutions of 
the T-TPN by firing transitions or by elapsing a certain amount of time. 

First, we define a zone as a convex union of regions as defined by Alur and 
Dill ijAlur and Dill 1994|l . For short, considering n clocks, a zone is a convex subset 
of (]R>o)". A zone could be represented by a conjunction of constraints on clocks 
pairs: Xi — Xj ^ c where ~S {<, <, =, >, >} and c g 

3.1 Our Algorithm: One Iteration 

Given the initial marking and initial values of clocks (null vector) , timing successors 
are iteratively computed by letting time pass or by firing transitions. 

Let Mq be a marking and Zq a zone. The computation of the reachable markings 
from Mq according to the zone Zq is done as follows: 

• Compute the possible evolution of time (future): Zq. This is obtained by 
setting all upper bounds of clocks to infinity. 

• Select only the possible valuations of clocks for which Mq could exist, i.e. 
valuations of clocks must not be greater than the latest firing time of enabled 
transitions : 

4 = n { A, {xi < |3^ I U G enabled (Mo)}} 

So, Zg is the maximal zone starting from Zq for which the marking Mq is 
legal according to the T-TPN semantics. 



State Space Computation and Analysis of Time Petri Nets 



7 



• Determine the Arable transitions: ti is Arable if Z'q n {xi > Ui} is a non empty 
zone. 

• For each firable transition ti leading to a marking Moi, compute the zone 
entering the new marking: 

Zi = (Zq n {xi > ai}) [Xe := 0], where s the set of clocks of newly 

enabled transitions. 

This means that each transition which is newly enabled has its clock reset. 
Then, Zi is a zone for which the new marking Moi is reachable. 

3.2 Convergence Criterion 

To ensure termination, a list of zones is associated with each reachable marking. 
It will keep track of zones for which the marking was already analyzed or will be 
analyzed. At each step, we compare the zone currently being analyzed to the ones 
previously computed. If the zone is included in one of the list there is no need to go 
further because it has already been analyzed or it will lead to compute a subgraph. 

3.3 Unboundedness in T-TPN 

An algorithm to enumerate reachable markings for a bounded T-TPN could be 
based on the described algorithm but, generally, it will lead to a non-terminating 
computation. Though the number of reachable markings is finite for a bounded T- 
TPN, the number of zones in which a marking is reachable is not necessarily finite 
(see figure nj. 




Figure 1. Time Petri Net with an unbounded number of zones 

Let us consider the infinite firing sequence: {T2,T3)*. The initial zone is {xi — 
A X2 = A =0} (where Xi is the clock associated with Ti), the initial marking 
A/o = {Pi,P2,P3) = (1,1,0). By letting time pass, Mq is reachable until X2 — 1- 
When X2 = xi = 1 the transition T2 has to be fired. The zone corresponding to 
clock values is: Zq = {0 < xi < 1 A xi — X2 = 0}. By firing T2 and then T3, the net 
returns to its initial marking. Entering it, values of clocks are: xi = 2, 2:2 = and 
xi — X2 — 2. Indeed, Ti remains enabled while T2 and T3 are fired and X2 is reset 
when Ts is fired because T2 is newly enabled. Given these new values, the initial 
marking can exists while 2:2 < 1 i.e. for the zone: Zi — {2 < xi < 3 A xi — X2 = 2}. 
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By applying infinitely the sequence (T2, T3), there exists an infinite number of zones 
for which the initial marking is reachable. 

Actually, the number of zones is not bounded because infinity is used as latest 
firing time (Ti). If infinity is not used as latest firing time, all clocks are bounded 
and so, the number of different zones is bounded ijAhir and Dill Iflflljl . The "naive" 
algorithm is then exact and can be used to compute the state space of a bounded 
T-TPN. 

Consequence 1 

For a bounded T-TPN without infinity as latest firing time, this forward analysis 
algorithm using zones computes the exact state space of the T-TPN. 

In the next section, we propose a more general algorithm which computes the 
state space of a T-TPN as defined in section|2l i.e. with infinity as latest firing time 
allowed. 

3.4 General Algorithm 

A common operator on zones is the k-approx operator. For a given k value, the 
use of this operator allows to create a finite set of distinct zones. The algorithm 
proposed is an extension of the one presented in the previous section. It consists in 
applying the k-approx operator on the zone resulting from the last step: 

Zi k - approx ((Zq n {xi > at}) [Xe := 0]) 

This approximation is based on the fact that once the clock associated with an 
unbounded transition ([a, (X)[) has reached the value a, its precise value does not 
matter anymore. 

Unfortunately recent works on Timed Automaton ( |Bouyer 2002| [Bouyer 2003| | 
proved that this operator generally leads to an overapproximation of the reach- 
able localities of TA. However, for a given class of TA (diagonal-free), there is no 
overapproximation of the reachable localities. 

Results of Bouyer are directly extensible for T-TPN. As computation on zones 
only involved diagonal-free constraints, the following theorem holds: 

Theorem 1 

A forward analysis algorithm using k-approx on zones is exact with respect to T- 
TPN marking reachability for bounded T-TPN. 

A detailed proof is available in | |Gardey et al. 20031 1 . 

3.5 Example 

Let us consider the T-TPN of figure [H 

We associate the clock Xi with the transition Ti of the T-TPN and recall that 
clocks associated with each transition count the time since the transition has been 
newly enabled. 
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The algorithm starts from the initial state: Iq = (Mq, Zq), with Mq = (l 1 O) 
and Zq = {xi = a;2 = 0}. At marking Mq, transitions Ti and T2 are enabled. 

The first step is to compute the possible future, i.e. the maximal amount of time 
for which the marking A/q may exist: 

Z(^n/nw(Afo) = {xi =2:2 e [0, oo[}n{a:;i < c» Ax2 < 1} 
= {xi = 2:2 e [0, 1]} 

From this zone, two transitions are firable: Ti and T2. 

Firing of Ti 

• the new marking is Mi ~ (O 1 O) 

• the new zone is obtained by intersecting the previous zone {Zq Ci Inv{Mo)) 
with the guard Xi > 0, deleting clocks of transitions that are no longer 
enabled in Mi (xi) and reseting clocks of newly enabled transitions (none). 

Zi = {xi = a;2 G [0, 1]} n {xi > 0} (intersect with guard) 

{xi =2:2 e [0,1]} 

= {a;2 e [0, 1]} (delete xi) 

Firing of T2 

• the new marking is M3 = (l l) 

• the new zone is obtained by intersecting the previous zone {Zq (1 Inv{Mo)) 
with the guard 2^2 > 1, deleting clocks of transitions that are no longer 
enabled in M3 (2:2) and reseting clocks of newly enabled transitions (xs). 

Z3 = {xi = 2:2 G [0, 1]} n {2:2 > 1} (intersect with guard) 
= {xi = 2;2 = 1} 

= {a;i = 1} (delete 2:2) 

= {xi = 1 A X3 = 0} (reset 2:3) 

We got two new states to analyze: (A/i,Zi) and (1/3,^3). We apply the same 
algorithm to these two states. 
Considering (A/i,Zi): 

z[ = zln inv{Mi) = {x2 e [0, 1]} n {.2:2 < 1} 

= {.^2 6 [0,1]} 

T2 is firable and leads to the new state: (A'/2, Z2) with A/2 = (O l) and Z2 ~ 
{xs = 0}. Analyzing (A/2,^2) leads to the new state (Afi,{2;2 = 0}). As {x2 = 
0} C Zi, the algorithm stops and get a new state to analyze: (Afs, Z3). 
Considering (Af3,Z3): 

Z^^zlnlnviMs) = {2'i -2:3 = 1, 2;i e [0,cx)[}n{a;i < ooAxs < 1} 
= {xi - 2:3 = 1 A 2:3 < 1} 

T3 and Ti are firable... 
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The analysis is performed until no new states are created. We then build the 
following graph of reachable markings. 





Mo 














Ti 














Ml 





Figure 2. Graph of reachable markings 



In this section we have presented an algorithm that exactly computes the reach- 
able markings of a bounded T-TPN with 00 as latest firing time. The graph com- 
puted is not suitable to verify time logic properties. So, in the next section we 
present a transformation of the graph into a Timed Automaton we proved to be 
timed bisimilar to the original T-TPN. Consequently, model-checking methods on 
TA become available for the model-checking of T-TPN. 



4 Marking Timed Automaton of Time Petri Net 

We first recall the definition of Timed Automata, introduced by Alur and Dill IjAhir and Dill 1994}! 
and their semantics. 



4-1 Timed Automaton: Definitions 

Timed Automata are an extension of classical automata providing timing con- 
straints. A transition can occur if clocks valuations satisfy constraints called "guard". 
Actions on clocks (reset for instance) are associated with transition. The system can 
idle in a locality if valuations of clocks satisfy some constraints called "invariant". 

Definition 5 {Constraints) 

Let y be a set of clocks, C{V) is the set of timing constraints upon V i.e. the set 
of expressions 5 defined by: 

5 :~ V ^ c \ V — v' ^ c \ ^ 5i \ 5i /\52 

with V, v' g V, {<, <, =, >, >} and c G IN. 



Definition 6 ( TA) 

A Timed Automaton is a tuple (L, Iq, C, A, E, Inv) defined by: 

• La finite set of locations, 

• Iq E L the initial location , 

• C a finite set of positive real-valued clocks, 

• A a finite set of actions. 



State Space Computation and Analysis of Time Petri Nets 



11 



• E d L X C(C) X Ax2'^ X L a. finite set of transitions, e = {1, 7, a, R, I') is the 
transition from location I to location I' with the guard 7, the label a and the 
set of clocks to reset R, 

• Inv : L X C{C) {true, false}, a function assigning to each location an 
invariant. 

The semantics of a Timed Automaton is given by a Timed Transition System 
(TTS). 

Definition 7 {Semantics of a TA) 

The semantics of a Timed Automaton is the Timed Transition System S = [Q, Qq, 
where: 

• Q^Lx (IR>o)^, 

• Oo = (^0,0), 

• ^ is the transition relation including a discrete transition and a continuous 
transition. 

• The discrete transition is defined Va e A by: 

{7(w) = true 
v' = v[R ^ 0] 
Inv[l')[v') = true 

• The continuous transition is defined Vd G IR>o by: 



{l,v) > {l,v) iff <^ 



W e [0, d], Inv{l){v + t') = true 



4-2 Labeling algorithm 

The algorithm given in section 3 represents the marking graph of the T-TPN. We 
show here that it can easily be labeled to generate a Timed Automaton timed 
bisimilar to the T-TPN. 

Let Q = (M, T) be the graph produced by the algorithm where: 

• M is the set of reachable markings of the T-TPN: Mq, . . . , Mp 

• T is the set of transitions: Tq, . . . ,Tq. 

The Timed Automaton will be obtained by associating to each marking an in- 
variant and to each transition a guard and some clocks assignments. 



4.2.1 Invariant 

First, an invariant is associated with each marking M^. By construction, in each 
marking, only the possible evolution of time is computed: the entering zone is 
intersected with the set of constraints {xi < /?;}, where Xi are clocks of transitions 
enabled by the marking M^. Then, the invariant associated with each marking Mk 
is defined by: 

/ (Mk) = {x, < A I e enabled (Mk)} 
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4.2.2 Guard 

Each transition of the graph Q corresponds to the firing of a transition ti . Then 
we label by: 

• the action name U, 

• the guard: Xi > ai, 

• the clocks assignments: Xk ^ for all clocks Xk associated with a newly 
enabled transition tk 



4-3 Marking Timed Automaton 

The Timed Automaton we obtain is then defined as follows: 

Definition 8 {Marking Timed Automaton) 

• L = {A/q, . . . , Mp\ is the set of localities i.e. the set of reachable markings of 
the T-TPN. 

• ^0 = ^0 is the initial locality. 

• C = {xi, . . . , Xq} is the set of clocks i.e. the set of all clocks associated with 
a transition. 

• . . . ,tq} is the set of actions i.e. the transitions of the T-TPN. 

u E C LxC{C)xAx2'-^xLis the finite set of transitions. Let e = (Mj, 7, a, R, Mj) 
a transition, e is defined as follows: 

— a = tfc 

— 1 = Xk> ak 

— i?= {a;, I ti £Unabled{M^,tk)} 

• Inv : L X C{C) — + {true, false}, with: 

Inv{Mi) = {xi < Pi I t, e enabled (M,)} 



Example 

Considering the T-TPN of figure the resulting Timed Automaton is: 





Mo 


T2, X2 > 1, 2:3 


= 


M3 




Xl < 00 




X3 < 1 




AX2 <1 


T3, X3 > 1, X2 


= 


A a;i < 00 



Ti, xi>0 



Ti, Xl > 



Ml 
X2 < 1 



T2, X2 > 1, xs :— 



T3, X3 > 1,X2 ~ 

Figure 3. Time Marking Automaton 



M2 

X'i < 1 
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4.4 Bisimulation 



Definition 9 

As defined in the time transition system for a T-TPN T, we note Qt the set of 
states of T. Qa is the set of states of a TA A. 

Definition 10 

Let TZ C Qt x Qj, be the relation between a state of the Timed Automaton and a 
state of the Time Petri Net defined by: 



where M is the function giving the associated marking of a TA state I. 

Two states are in relation if their "markings" and their clocks valuations are 
equals. 

Theorem 2 

7^ is a bisimulation: 

For all {M,v), {l,v) such that {M,v)TZ{l,v): 



Continuous transition - time elapsing. 
Let iM,VT) e Qt, il,VA) e Qa, and S e TR-°. 

We prove that if the T-TPN can idle in a state, this is allowed on the constructed 
TA i.e. if the system can idle for any S such that Vfc G [1, n] AI > 'tk ^ VT{tk) + S < 
/3{tk) then the automaton verifies: Vi S [0, S] Inv{l){vA + t)— true. 

By construction, the invariant of the location / is obtained by the conjunction of 
the latest firing times of enabled transitions. So Inv{l) ~ /\ {xi < f3{ti)} where ti G 
enabled(Wl{l)). {M,vt) and {1,va) are in relation so vt = v^. As wr(ii) + (5 < 
then for all t G [0,6] VA{ti)+t < P{t^). This means that G [0,6] Inv{l){vA + t) = 



To conclude, the automaton can idle in the state and (M, vt + 6)TZ{1, va +6). 

Symmetrically, we prove that if the TA can idle for a time 6, the T-TPN can idle 
for the same time 6. 

According to the semantics of T-TPN, a continuous transition can occur if and 
only if Vtfc G enabled{M), VT{tk) + 6 < [i{tk)- As {M,vt) and {1,va) are in 
relation, vt ~ va- The TA can idle in the state for all t G [0, 6] VA{ti) +t < I3{ti) 
by construction of the invariant. Then, t = 6 prove the result. 

The T-TPN can idle in the marking and (M, vt + 6)n{l, va + 6). 





Proof 



true. 
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Concerning continuous transitions, is a bisimulation. 

Discrete transition - firing a transition ti Let (Af, fr) G Qr and {l.,vjC) G Qa 
be two states in relation. 

We prove that if a transition is Arable for the T-TPN, it is firable for the TA and 
the two resulting states are in relation. 

A transition t^ of the T-TPN can be fired if: M > *ti and a{ti) < vr{ti) < l3{ti). 
The resulting marking is M' = M — *ti + t' and the resulting valuation is v'^{tk) = 
for all newly enabled transition tk, all others valuations remain unchanged. 

The corresponding action is allowed on the constructed TA if and only if 



As ti is firable, it exits by construction a transition of the TA from /, such that 
M.{1) = M, to a location V such that M.{1') = M' . The guard is by construction, 
^ ~ Xi> a{ti). Thus, as ti is firable ^{va) = true. 

Also by construction, the clocks to be reset for the TA are the same clocks to be 
reset for the T-TPN. Thus, v^^v'^-. 

As clocks newly enabled are set to 0, they verifies the inequalities Xj < f3{tj) in 
the invariant of I' . All other clocks stay unchanged: v'_^{tj) < f3{tj) for all other 
enabled clocks. Thus, Inv{l')[v'j^) — true. 

So the transition on TA is allowed and {M' ,v'q-)Ti{l' ,v'a). 

Symmetrically, we prove that if ti is firable for the TA, it is firable for the T-TPN. 
The two resulting states are in relation. 

A transition e = {l,ti,j,R,,l') of the TA can occur and leads to a new state 
(/', v'^) if and only if 7(t'x) = true and Inv[l')[v\) = true. Then ~ va[R ^ 0]. 

The corresponding action is allowed on the T-TPN and leads to a new state 
{M',v't) if and only if: 



By definition of the Marking Timed Automaton, if ti is firable for the TA, it is for 
the T-TPN. So M >'t, and the resulting marking is by definition M' = M-%+t'. 

{I, va) and (M, vr) are in relation so vr = va- 

As, 7(w^) = true and Inv{l){vA) = true so, a{ti) < vq-{ti) < P{ti). 

By construction, the clocks to be reset are the clocks of newly enabled transitions 
i.e. the clocks of R. So v'_^ = v'q-. 

To conclude, ti is firable for the T-TPN and (Af, v'-j-) and (/', v'^) are in relation. 

7?. is a bisimulation for discrete transitions. □ 




' M >'t, 

M' = M -'t,+t' 

< a{t,) <v,< Pit,) 
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Table 1. Time to compute the state space of a T-TPN 



Time Petri Net 


T-TPN It ^ 


Tina 


Gpn 


Mercutio 


Example 1 (oexl5) 


16 / 16 


10.5 s 


12.9 s 


2 s 


Example 2 (oex7) 


22 / 20 


30.5 s 


9.8 s 


1.3 s 


Example 3 (oex8) 


31 / 21 


29 s 


12.2 s 


1.4 s 


Example 4 (P6C7) 


21 / 20 


31.6 s 


1 min 17 s 


7.9 s 


Example 5 (PIOCIO) 


32 / 31 


4.2 s 


6.8 s 


1 s 


Example 6 (GC - 3) 


20 / 23 


2 s 


1.2 s 


0.1 s 


Example 7 (GC - 4) 


24 / 29 


3 mill 8 s 


1 min 3 s 


10.8 s 


Example 8 (P6C9) 


25 / 24 


2 min 49 s 


6 min 2 s 


22.9 s 


Example 9 (P6C10) 


27 / 26 


8 min 53 s 


36 min 


1 min 


Example 10 (P6C11) 


29 / 28 


14 min 36 s 


1 h 1 min 


2 min 20s 


Example 11 (P6C12) 


31 / 30 


23 min 34 s 


2 h 7 min 


3 min 59s 


Example 12 (P6C13) 


33 / 32 


36 min 25 s 


X 


6 min 3s 



5 Performances 

We have implemented the algorithm to compute all the reachable markings of a 
bounded T-TPN using DBM (Difference Bounded Matrices) to encode zones. The 
tool implemented (Mercutio) is integrated into RoMEO IIRomeo 2fl03|l . a software 
for T-TPN edition and analysis. 

As boundedness of T-TPN is undecidable, Mercutio offers stopping criteria: 
number of reached markings, computation time, bound on the number of tokens in 
a place. It also provides an on-the-fly reachability test of markings and export the 
automaton in Kronos or Uppaal syntax. Concerning the on-the-fly reachability 
test, Mercutio also provides a trace (sequence of transitions and interval in which 
they are flred) leading to the marking. 

5.1 Comparison with other methods 

We present here a comparison (Table of three methods to compute the state 
space of a T-TPN: 

• the method proposed in this paper with our tool Mercutio. 

• the State Class Graph computation (Berthomieu) with the tool Tina. 

• the State Class Timed Automaton (Lime and Roux) with the tool Gpn. 

Computations were performed on a Pentium 2 (400MHz) with 320MB of RAM. 

Examples 1 to 5 come from real-time systems (parallel tasks [1], periodic tasks[2- 
3], producer-consumer [4-5,8-12]). Examples 7 and 8 are the classical level crossing 
example (3 and 4 trains). 

For this set of examples and for all nets we have tested, our tool performs better 
than Tina and than Gpn. For example 12, Gpn ran out of memory. 
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Table 2. Structure of resulting Timed Automata 



Time Petri Net 


Clocks(l)^ 




Marking(2) TA 


State Class 
CI. N. 


TA (3) 
T. 


Example 1 (oexl5) 


16 


4 


361 


1095 


4 


998 


3086 


Example 2 (oex7) 


20 


11 


637 


2284 


7 


1140 


3990 


Example 3 (oex8) 


21 


11 


695 


2444 


7 


1277 


4344 


Example 4 (P6C7) 


20 


13 


449 


4175 


3 


11490 


50268 


Example 5 (PIOCIO) 


31 


4 


1088 


5245 


2 


1088 


5245 


Example 6 (GC - 3) 


23 


5 


94 


271 


3 


286 


763 


Example 7 (GC - 4) 


29 


6 


318 


1221 


4 


2994 


11806 


Example 8 (P6C9) 


24 


15 


1299 


12674 


3 


24483 


117918 


Example 9 (P6C10) 


26 


16 


2596 


27336 


3 


59756 


313729 


Example 10 (P6C11) 


28 


17 


4268 


44620 


3 


82583 


440540 


Example 11 (P6C12) 


30 


18 


6846 


70856 


3 


112023 


606771 


Example 12 (P6C13) 


32 


19 


10646 


108842 


X 


X 


X 



Number of: ^clocks of the original T-TPN , ^clocks of tiie TA , ^nodes of tiie TA , 
'transitions of ttie TA . 



5.2 Reducing the number of clocks 

A major issue in model checking TA is the number of clocks in the automaton. 
Time computation is exponential in the number of clocks. Consequently, obtaining 
an automaton with a reduced number of clocks is of importance. 

The algorithm we propose assigns a clock to each transition. Thus, the resulting 
automaton has as many clocks as transitions of the T-TPN. However we have 
underlined that for each location, only a reduced number of clocks (active clocks) 
really matter for the timing evolution of the T-TPN. 

Daws and Yovine in IjPaws a.nd Yovine 1996|l proposed a syntactical method to 
reduce the number of clocks of a TA. As a single Timed Automaton is build with 
our method (no need to compute parallel composition) we applied this reduction. 
The table IS presents the comparison between the clocks of (1) the Timed Automa- 
ton obtained, (2) the Timed Automaton obtained after syntactical clocks reduction 
(we used Optikron from Kronos HYovine 1997|l l. (3) the State Class Timed Au- 
tomaton using Gpn that ensures a minimal number of clocks using classes. 

These results are all the more encouraging that, reducing the number of clocks 
is made syntactically and is made at no cost comparatively to the state space 
computation. The State Class Timed Automaton always as a lower number of 
clocks but its construction is not as fast as our method: the Timed Automaton has 
lower clocks at the price of a greater size. For example 12, we have not succeeded 
in computing the State Class Timed Automaton (out of memory). 



6 Applications 

We propose in this section some appHcations of our method to model-check T-TPN. 
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6.1 Model checking of Quantitative Properties 

Since they were introduced, Timed Automata are an active research area and 
several methods and tools have been developed to analyze them. Tools like Up- 
PAAL l|Larsen et al. 1997jl or Kronos (jYovine 1997|l successfully implement efS- 
cient algorithms and data structures to provide model-checking on TA (TCTL 
model-checking for instance) : numerous case studies have been performed with real 
reactive systems. 

Concerning T-TPN, few studies were realized and properties that can be checked 
are mainly safety untimed properties (reachability). Time or untime properties 
are mainly verified over T-TPN using "observers". Basically, properties are trans- 
formed in an additional T-TPN motif called "observer", and then, the problem 
is transformed into a reachability test. Such methods are not easy to use: (1) 
modeling the property with an observer is not easy (it exists some generic ob- 
servers ijToussaint et al. 1997|l . but for few properties), (2) the observer's size may 
be as large as the initial T-TPN, (3) due to the increase of the T-TPN's size, 
computing the state space will be more time expensive. 

The method we propose here, is to use existent TA tools to perform model- 
checking of T-TPN. As a Timed Automaton is produced, model-check a T-TPN 
(LTL,CTL) becomes possible and verifying quantitative time property (TCTL) is 
possible. Moreover, as the automaton constructed is a Timed Automaton with 
diagonal free constraints, model checking could be done using on-the-fly algorithms 
on TA fUpPAAL IILarsen et al. 1997|l . KRONOS I|Yovine IflQTji V 



Example 

Let us consider the classical level crossing example. The system is modeled using 
the three patterns of the figure^l This model is made of a controller 1 4(a) I , a barrier 
model 1 4(b) I and four identical trains (4(c)). The resulting Petri Net is obtained 
by the parallel composition of these T-TPN. 

The property "the barrier is closed when a train crosses the road" is a safety 
property and is interpreted as a reachability test: we want to check if there exists 
a state such that for any train i: M{Oni) ~ 1 and M{Closed) — 0. This could 
be checked directly on the computed graph using Mercutio or using Uppaal 
to test the property. In Uppaal, the property is expressed as: E<>((M[Oni]==l 
or M[On2]==l or M[07i3]==l or M[On4]==l) and M [Closed] ==0) . In both cases, the 
result is False, proving that no train may cross the road while the barrier is not 
closed. 

Using the automaton, it is possible to model time properties. For instance, "when 
the train i approaches, the barrier closes within delay S" may be checked. In 
TCTL this property is expressed by: M{closei) = 11 ==> V()<sM{dosed) = 1. 
M{dosei) = t 1 means that only states for which M{closei) = 1 in the state and 
M{dosei) = for all the preceding states. To check this property on the TA using 
Uppaal or on the T-TPN using reachability analysis leads to create an observer or 
modify the model. For instance, to use Uppaal we have to add an additional clock 
that starts when a train change its state to closei. By using Kronos, there is no 
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Open 




(a) Controller (b) Barrier model 




(c) Train model 



Figure 4. Gate Controller 

need to modify or create an observer. Given the TA and a TCTL formula, Kronos 
can perform model-checking using classical TCTL forward or backward algorithms. 

6.2 Mixing Timed Automata and Time Petri Nets 

The method proposed in this paper provides a common framework for using and 
analyzing reactive systems modeled with Timed Automata or Time Petri Nets. 

Many systems are modeled using T-TPN (FIP, CAN), nevertheless some prob- 
lems (time controller synthesis for instance) benefit of larger studies and efficient 
tools. Then, it may be necessary to have a mixed representation of the system. 

We give here some examples of mixing Timed Automata and Time Petri Nets: 

Test Case Given a reactive system expressed with a T-TPN, different scenarios 
may be studied by synchronizing it with a Test Automaton. This Test Automaton 
represents the sequence of transitions to be fired and the synchronization is made 
over the firing of transitions. 
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Controller Given a reactive system expressed with a T-TPN, a controller may be 
modeled using TA to constraint the execution of the system. 



7 Conclusions 

In this paper, we proposed an efficient method to compute the state space of a 
bounded T-TPN. The proposed algorithm performs a forward computation of the 
state space and we proved it is exact with respect to reachability even for bounded 
T-TPN with oo as latest firing time. We proposed a labeling algorithm of the 
produced graph to build a Timed Automaton that we proved to be timed bisimilar 
to the original T-TPN. Some examples were given to show that our tool performs 
better than two other methods used to compute the state space of a T-TPN: the 
State Class Timed Automaton (Gpn) and the State Class Graph (Tina). Though 
the number of clocks of our TA is greater than the one of the State Class Timed 
Automaton, our construction is faster and syntactical clocks reduction algorithms 
may be successfully applied to reduce it. 

Consequently, our method allows the use of Timed Automaton tools to model- 
check T-TPN. In particular, the Timed Marking Automaton makes TCTL model- 
checking feasible for bounded T-TPN, which, to our knowledge has not been done 
before. 

We are currently involved in two different research area. First, we think possible 
to use efficient data structures (BDD-like structure) to improve our implementation 
and we are studying Partial Order methods to reduce time and space requirements. 
Finally, it would be useful to develop a full model-checker for T-TPN without 
having to build the Timed Automaton. Then, a further step in the analysis of real- 
time reactive systems will be to provide methods for the time controller synthesis 
problem for T-TPN. 
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